15-508 / 17-801 / 19-608: Privacy Policy, Law, and Technology

Homework 5 - due February 12, 2004

Reading assignment: Cranor 5, 6, 7, 11, 12; Millett paper

1. Download and try at least two P3P user agents (for example, Privacy Bird, IE6, Netscape 7 -- see http://www.w3.org/P3P/implementations for other choices). Summarize the similarities and differences between the two user agents. Indicate particular features that you thought were easy to understand and use, as well as those that were not.

2. The Millett paper includes a critique of cookie functionality in several web browsers. Perform a similar analysis for a more recent web browser (perhaps one of the browsers you examined for question 1).

3. Do a Google search for allinurl: access_log to find web sites that publish their access log's for all to see. Find an active access log (with entries from February 2004) and find the entry for your visit to that site. Cut and paste that entry into your homework and also give the URL for that access log. What is revealed about you and/or your computer from this log entry?

4. In homework 3, you each picked an industry or type of web site and read three privacy policies. As it turns out, some of the sites you picked were P3P-enabled but some were not. The following are the industries that students picked from which they selected at least one site to review that is P3P enabled. Pick one of these industries and review the three sites. (a) For each site determine whether it is fully P3P-enabled, partially P3P-enabled (has some but not all required P3P files, has errors in P3P files, has compact policy but not full apolicy, etc.), or not P3P-enabled at all. Also determine whether each site has any compact P3P policies. For the sites that are P3P-enabled, how many P3P policies do they have? (b) What process did you use to determine which sites were P3P enabled and had compact policies? (c) At one of the sites that is P3P enabled, compare the P3P policy with the site's human-readable policy. Do you think the company has accurately captured its privacy policy with its P3P policy? What parts of the human-readable privacy policy are not captured? Are any of these elements things that are supposed to be encoded in a P3P policy (that is, did the site make an error, or are they limited by the P3P syntax)?

Telephone industry - Verizon, AT&T, Cingular

Free email providers - Yahoo!, MSN, Catholic Online

Apparel retailers - Victoria's Secrets, Gap, Nordstrom

News - New York Times, CNN, USAToday

5. Do part 2 of the CMU Privacy Policy Mini Project.